[whatwg] postMessage's target origin argument can be a full URL in some implementations

Hallvord R M Steen hallvors at gmail.com
Tue Jul 20 12:18:25 PDT 2010 

>> I agree with that in general, however it makes things harder that this
>> is an issue that might have security implications.
>
> The security implication being that authors might get confused about what
> the origin actually means and whom they can expect messages from, right?

More precisely who they can send messages too. An author writing a
script to run on e.g. sites.google.com/site/foo migh use postMessage
for private data intended for other pages on his site, and believe
that specifying the target origin http://sites.google.com/site/foo
would prevent sites.google.com/site/bar from listening in.

>> Facebook uses it in a "clever" way to actually pass on some GUID/data
>> in the path, which will presumably appear in e.origin in the message
>> listener?
>
> e.origin is the origin the event originated at.  It's computed by the
> browser, and is entirely independent of the arguments passed to postMessage.
>  In Gecko's case, this is computed using the "compute an origin" URI in the
> HTML5 spec.

That is the way I thought it worked, so now I am pretty curious what
the point of the FB code I saw is..

http://connect.facebook.net/en_US/all.js :

FB.XD._origin=(window.location.protocol+'//'+window.location.host+'/'+FB.guid());

But I guess they might use this FB.guid() part in other ways to do
cross-document messaging within this same library.

> The only thing the string passed to postMessage is used for is same-origin
> comparisons when deciding whether to deliver the event at all.  And of
> course same-origin comparisons don't depend on the path portion of the url;
> I would expect every single web developer who knows what a same-origin
> comparison is to know that...

OK.

Adam Barth wrote:

>  If I were to rate this as a security vulnerability, I'd rate it as
> SecSeverity-None, which means I wouldn't even issue an advisory for it.

Fine, we will change it on our side, and I commented on the spec:
http://www.w3.org/Bugs/Public/show_bug.cgi?id=10211

-- 
Hallvord R. M. Steen

More information about the whatwg mailing list